Colorado's Tougher Breach Law: Healthcare Incidents Included

Starting Sept. 1, organizations in Colorado must notify victims of breaches of personal information - including health data - within 30 days of determination that a breach occurred. That's a tougher requirement than the HIPAA breach notification rule, which requires notification of individuals within 60 days of discovery.

The new state law, which has tougher requirements than previous legislation, also requires notification of the Colorado attorney general within 30 days of breaches if more than 500 state residents have been affected.

Colorado's Protections For Consumer Data Privacy, recently signed into law by Gov. John Hickenlooper, contains some provisions for data security that are more rigorous than many other state breach laws. Efforts to enact a uniform federal data breach notification law, other than HIPAA, so far have been unsuccessful.

"This is part of a continuing trend in the states to add additional elements and complexity to their breach notification laws."
—Kirk Nahra, Wiley Rein

"This is part of a continuing trend in the states to add additional elements and complexity to their breach notification laws," says privacy attorney Kirk Nahra of the law firm Wiley Rein. "We will continue to see these tweaks unless Congress steps in and passes a unifying national law."

Attorney Steven Teppler of the Abbott Lax Group explains that while Colorado's 30-day breach notification deadline is shorter than HIPAA's 60-day notification deadline for major breaches, the timer on Colorado's notification starts upon "determination" that a security incident is a breach, meaning that there is sufficient evidence to conclude that a breach has taken place. By comparison, the notification requirement under HIPAA starts upon "discovery" of a breach of unsecured protected health information.

Also, Colorado notification can be further delayed if law enforcement determines that issuing a notice will impeded a criminal investigation, he notes.

Colorado's 30-day notification requirement is not as strict as notification rovisions in some other states.

For instance, California requires health data breaches to be reported to affected individuals within 15 days of the breach being detected. For breaches that do not involve health data, notification must be made in "the most expedient time possible and without unreasonable delay," the California law states.

"Colorado's law is strong, but it's not as strong as Florida's in some respects," Teppler notes.

Wider Ranging?

The new Colorado law will have an impact on a broad range of organizations that handle healthcare information, including entities that are not physically located in the state, says privacy attorney David Holtzman, vice president of compliance at the security consultancy CynergisTek.

"For example, HIPAA covered entities and business associates creating or maintaining the health information of Colorado residents will need to comply with the notification requirements and timelines when an incident results in the unauthorized disclosure of their health information outside the borders of Colorado," he notes.

Organizations that handle health information but do not qualify as HIPAA CEs or BAs will be required to perform the steps called for in the new Colorado statute, Holtzman points out.

"For example, health care app vendors and developers that create or maintain health data [for residents of Colorado] that is being shared with a healthcare provider will be required to meet the Colorado statute's requirements for securely maintaining and disposing of personal information as well as the breach reporting and notification requirements," he says. "Also in the scope of this new law will be educational institutions that create or maintain health information that is generally subject to the requirements of the FERPA [Family Educational Rights and Privacy Act]."

Nahra also predicts that the Colorado law will have a substantial impact on "non-HIPAA" entities that handle health information, including those offering certain wearable devices and mobile apps. "And because the law is driven by the residence of the impacted individual, this provision, in theory, applies regardless of where the entity is."

Attorney Lynn Sessions, a partner at law firm BakerHostetler, notes other important changes made in the Colorado law include the expansion of the definition of personal information to include more than just Social Security numbers, driver's license numbers and financial account information. For instance, "biometric" information is now included under the banner of breached personal information subject to notification.

Steps to Take

In light of the new Colorado law, what steps do healthcare organizations need to take?

"Organizations will need to review their incident response and review policies and procedures to ensure the scheme provides sufficient time to investigate, assess and perform the necessary notifications within the time set by the Colorado statute," Holtzman says.

Sessions adds that it's also critical for entities to educate their staff on the changes and the need to quickly report and investigate suspected breaches. "They should also take a look at their policies and procedures as well as technical safeguards," she says.

Colorado's updated breach notification regulation was signed into law just days after the May 25 enforcement date for the European Union's General Data Protection Regulation.

About the Author

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.